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ABSTRACT 


The  U.S.  Navy's  first  surface  combatant  with  the  MK-41  Vertical  Launching 
System  (VLS)  was  commissioned  In  the  fall  of  1986.  The  Introduction  Into 
the  Fleet  of  this  advanced  launching  system,  with  Its, -a  ttr-i-bu t« s  — (-1  e  ' 

high  firepower,  high  survivability,  etc  requires  understanding  of  new 
aspects  of  missile  launcher  safety.  ^ — . 

S' s s  sJZjs* 

#1-1-1— discuss-  the  MK-41  VLS,  Its  safeguards,  Its  unique  safety  . 
related  differences  from  other  launching  systems  and  the  ®new  culture^  ^ 
required  of'^u^Navy  system  operators.  Note  that  for  the  MK-41  VLS,  there  is 
no '-^missile  "on  the  rall^  to  be  observed;  all  missiles  are  always  on  the  rail, 
ready  for  firing;  and  missiles  themselves  are  never  seen  or  moved  as  a  t. 
reminder  of  ordnance  hazards,  but  the  ^wooden  found® is  always  present. 

MK-41  VLS  safety  has  been  and  is  the  centerpiece  of  its  design  and 
additionally  it  must  be  operated,  observing  the  Cardinal  .Rules  of  MK-41  VLS 
safety:  '  ' 

s*  Maintenance  and  operation  only  by  trained  personnel  using  authorized 
procedures 

s*  Dead  electrical  missile  interface  until  intent  to  launch  •  W  ^ 

/  j 

No  mix  of  ordnance  and  missile  simulators.  u) Di  d z  ■.  tn  i  SIw 
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VLS:  A  CHALLENGE  MET,  AN  OLD  RULE  KEPT 


INTRODUCTION 
"Batteries  Released!" 

With  those  two  words,  USS  SAN  JACINTO  (CG-56)  commenced  simultaneous 
missile  launches  at  four  in-bound  supersonic  air  targets,  a  hostile  submarine 
contact  identified  as  an  OSCAR  class  laying  some  15,000  yards  astern,  a  KIROV 
class  cruiser  200  miles  SE  of  the  carrier  battlegroup  in  the  middle  of 
preparations  for  launching  her  own  cruise  missiles  and  finally,  at  a  tactical 
airfield  servicing  the  BACKFIRES  presently  under  attack  by  a  flight  of  F-lAs. 
Sounds  a  bit  far  fetched  to  say  simultaneous,  you're  thinking?  No  single  ship 
can  actually  be  firing  on  all  those  targets  at  the  same  time,  you  say? 

Up  until  September  20,  1986  you  would  have  been  correct.  But  on  that  day, 
with  the  commissioning  of  USS  BUNKER  HILL  (CG-52),  the  Surface  Navy  gained 
that  capability  and  a  lot  more  with  the  introduction  of  its  new  main  battery, 
the  Vertical  Launching  System  (VLS).  Designed  with  the  capability  to  fire 
Anti-Air  Warfare  (AAW) ,  Anti-Submarine  Warfare  (ASW) ,  and  Strike  and 
Anti -Surface  Warfare  (ASUW)  missiles  at  the  same  time,  VLS  indeed  makes  the 
opening  battle  scene  a  reality. 

This  paper  will  describe  this  new  launching  system  and  some  of  its,  in  the 
words  of  VADM  J.  Metcalf  (OP-03),  "revolutionary  applications  for  Surface 
Warfare."  It  will  uncover  and  examine  some  of  the  significant  aspects  of  this 
new  system  which  don't  often  receive  much  attention. .. that  is,  until  something 
goes  wrong.  Then,  as  in  the  case  of  any  accident  or  serious  system 
malfunction,  it  receives  everyones  closest  scrutiny.  I  am  speaking  of  the 
safety  of  this  new  launcher  and  the  principles  that  went  into  its  design  and 
development  to  allow  it  to  safely  store  and  then  shoot  multiple  missile  types 
all  at  the  same  time.  I  am  also  speaking  of  some  of  the  new  operational 
aspects  of  VLS  that  must  be  carried  into  the  Surface  Fleet  to  safely  operate 
this  revolutionary  new  system.  For  if  it  isn't  designed  safe  and  operated 
safely,  no  matter  how  much  capability  increase  VLS  brings,  it  is  all  for 
nought . 

OPERATIONAL  REQUIREMENTS 

A 8  in  the  design  of  all  new  systems,  whether  they  are  automobiles, 
airliners  or  warfighting  equipment,  new  capabilities  bring  design  trade-offs. 
Design  trade-offs  for  capability  in  turn,  lead  to  operational,  administrative, 
logistical  and  a  whole  host  of  other  trade-offs  including  those  affecting 
safety.  Unlike  other  trade-offs,  safety  can  never  be  compromised.  Safety  in 
the  design  of  US  Navy  systems  has  always  been  of  paramount  concern.  If 
allowed  to  become  the  end  in  itself,  it  can  severly  limit  or  even  make 
impossible  the  achievement  of  real  performance  gains.  Remember  the 
Occupational  Safety  and  Health  Act  (0SHA)  cartoons  that  first  circulated  with 
the  passage  of  this  law.  Certainly  they  graphically  described  the  problems 
facing  any  program  attempting  to  Introduce  a  new  system  if  safety  were  allowed 
to  become  the  sole  overriding  requirement.  The  challenge  of  VLS,  therefore, 
was  to  maintain  a  balance  of  requirements,  make  real  and  significant  gains  in 
warfighting  ability,  yet  not  compromise  safety  in  its  entire  Service-Use 
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profile.  The  only  way  to  accomplish  this  was  to  system  engineer  safety  Into 
the  design  from  day  one. 

In  the  case  of  the  Vertical  Launching  System,  threat  scenarios  to  surface 
ships  from  air-attack  created  the  need  for  a  rapid  firing  surface-to-air 
missile  launcher  with  an  extremely  short  reaction  time  (the  time  from  missile 
selection  to  missile  away)  with  the  ability  to  carry  and  fire  more  missiles 
than  existing  launchers.  In  addition,  this  new  launcher  was  to  have  the 
capability  to  launch  at  least  two  other  missile  types  and  provide  nuclear 
weapons  capability.  This  call  for  a  high  firepower  launcher  is  also  carried 
with  it  the  need  to  reduce  the  manning  associated  with  operation  and 
maintenance.  If  your  translate  these  very  general  requirements  into  other 
words,  one  can  begin  to  appreciate  how  critical  it  was  to  consider  all  aspects 
of  launcher  safety  from  the  onset.  Some  of  the-  more  significant 
considerations  follow. 

The  challenge  to  store  and  fire  multiple  missile  types  in  a  single 
launcher  is  not  new.  The  challenge  to  do  this  with  ready-for-launch  ordnance 
stored  in  density  aboard  ship  roughly  equivalent  to  that  of  a  bulk  storage 
magazine  seen  in  our  weapons  stations  and  still  provide  a  high  performance 
firing  capability  IS  NEW. 

High  density  leads  to  the  vertical  stowage  of  all  missiles.  Rapid  response 
and  firing  rate  required  consolidating  the  normal  missile  launch  "rail”  into 
the  missile  storage  condition,  giving  the  ability  to  launch  all  missiles  from 
their  stored  vertical  position  and  eliminating  the  need  for  handling 
operations  associated  with  taking  a  missile  from  its  "ring"  and  running  it  out 
on  the  "rail,”  present  in  most  other  shipboard  launchers.  It  also  removed  the 
need  to  train  and  elevate  a  missile  prior  to  firing.  This  single  fundamental 
change  allowed  the  significant  improvements  VLS  brings  in  the  number  of 
missiles  a  ship  can  now  carry  as  well  as  its  much  shorter  response  time  and 
substantially  higher  firing  rate.  This  simple  change  also  carried  with  it, 
several  revolutionary  considerations  with  regard  to  operation  and  safety. 
Early  design  effort  had  to  recognize  and  engineer  into  VLS,  the  solutions  to 
answer  such  issues  as: 

*Each  missile  is  now  "connected"  to  its  firing  circuits  as  soon  as  it  is 
loaded  in  the  launcher. 

*Each  missile  is  ignited  within  the  hull  of  the  ship  and  literally  flys 
itself  out  of  the  ship  on  its  way  to  the  target. 

*Each  missile  is  never  seen  by  the  crew  before  they  fire  it  since  it 
arrives  already  loaded  in  a  canister  which  becomes  part  of  its  firing  cell. 

*Aside  from  the  difference  in  missile  and  canister  lengths,  there  is  no 
at-a-glance  way  to  discriminate  missile  types  or  visually  check  the 
condition  of  a  missile  prior  to  firing. 

*Since  missiles  arrive  as  "all-up  wooden  rounds,”  they  cannot  be 
disassembled  or  tested  aboard  ship. 

Rapid  response,  high  firing  rate  and  reduced  manning  also  led  to  increased 
automation.  VLS  was  designed  as  an  UNMANNED  SYSTEM.  At  first  glance,  it  is 
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perhaps  a  major  step  forward.  But  automation,  while  generally  providing 
faster  operation  with  fewer  people,  also  carries  the  insidious  penalty  of 
taking  the  man  out  of  the  loop.  After  all,  this  launcher  was  intended  to 
provide  new  capabilities  for  concurrent  launching  of  multiple  missiles  at 
multiple  targets.  But  how  much  have  we  come  to  depend  on  that  "man  in  the 
loop"  for  ensuring  that  things  are  working  correctly  and  to  be  there  to  handle 
all  unanticipated  situations  that  only  time  and  circumstance  can  provide? 
With  the  increased  automation  that  the  threat  demands,  we  are  forced  to  remove 
that  man  one  step  farther  back  from  being  in  a  position  to  step  in  and 
exercise  control.  Again,  not  entirely  a  new  proposition,  but  one  which  when 
dealing  with  an  ordnance  requires  early  recognition  and  intensive  design 
effort  to  deliver  a  safe  product  to  the  fleet  operators.  One  which,  once 
delivered,  also  requires  corresponding  recognition,  understanding  and 
adjustment  on  the  part  of  the  operator. 

Automation  has  its  drawbacks  —  for  example  those  little  innocent  Os  and 
Is  which  continue  to  produce  incredible  events  when  just  one  is  not  in  its 
proper  place.  Increasing  complexity  in  modern  computerized  systems  has 
resulted  in  everyday  reports  of  massive  financial  transactions  being 
misrouted,  misplaced  or  misrecorded  as  a  result  of  a  computer  program  "bug." 
Bugs  are  reported  to  have  killed  or  severely  injured  patients  undergoing 
treatment  by  computer  controlled  medical  equipment.  Bugs  have  also  created 
many  incidents  within  the  military  that  we  all  remember.  It  takes  little 
imagination  to  think  of  what  the  results  of  mixing  computers  and  ordnance  can 
be  if  the  most  stringent  precautions  aren't  taken  to  safeguard  their 
interaction.  A  well  known  rule  based  on  painful  experience  is  that  ORDNANCE 
IS  UNFORGIVING!  The  challenge  in  VLS  to  FULLY  AUTOMATE  a  high  performance 
shipboard  multi-warfare  missile  launcher  was  indeed  formidable. 

WHAT  IS  A  VLS 

With  an  eye  toward  the  system  and  functional  safety  features,  which  will 
be  discussed  later  on,  this  section  will  guide  you  through  the  major  VLS 
components  follows. 

An  as  overview,  the  Vertical  Launching  System  is  a  very  simple  telephone 
switching  network  providing  the  communications  paths  for  missiles  and  their 
weapons  control  systems  (WCSs)  to  talk  to  one  another  (Figure  (1)).  As  a 
switching  network,  it  provides  the  necessary  safeguards  to  ensure  that  only 
the  correct  combination  of  parties  (i.e.,  WCSs  and  missiles)  communicate.  The 
Vertical  Launching  System  is  a  controller  and  scheduler.  It  enforces  a  set  of 
rules  each  system  must  follow  in  order  to  safely  and  properly  conduct  a 
missile  launch.  It  manages  and  distributes  the  command  stream  coming  from  a 
WCS  or  several  WCSs,  monitoring  ,  all  communications  for  proper  order.  It 
distributes  the  communications  load  over  the  system,  allowing  up  to  32 
simultaneous  conversations.  As  a  scheduler,  it  performs  any  launcher  related 
functions  required  to  fire  a  missile  (such  as  opening  a  hatch)  at  the  proper 
point  in  the  launch  sequence. 

VLS  is  modular  electronic  launcher  assembled  from  basic  building  units.  A 
closed  canister  containing  a  missile,  when  mated  with  a  module,  forms  a 
distinct  launch  cell.  Each  module  contains  eight  cells  (rails)  and  can  be 
combined  with  other  modules  in  launcher  configurations  of  up  to  sixteen 
modules  per  ship.  Each  module  grouping  is  combined  into  one  or  more  launcher 
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assemblies  and  landed  In  a  ship  to  become  an  Integral  part  of  the  hull 
assembly  (Figure  (2)).  Presently,  AEGIS  cruisers  carry  sixteen  moduleo  In  two 
groups  of  eight,  one  forward  and  one  aft;  the  SPRUANCE  Class  destroyers  have 
one  eight  module  launcher  located  forward;  and  the  ARLEIGH  BURKE  Class 
destroyers  are  planned  to  have  twelve  modules  In  their  launcher,  four  forward 
and  eight  aft. 

VLS  Is  also  a  very  large  shipboard  storage  magazine  for  a  collection  of 
smaller  storage  magazines  -the  canisters-  containing  any  of  three  missile 
types— STANDARD  MISSILE,  TOMAHAWK  and  ASROC.  The  launcher  Is  designed  to 
carry  any  missile  type  In  any  cell.  As  a  magazine  within  a  launcher,  its 
Individual  canisters  provide  all  firefighting  as  well  as  all  security  and 
environmental  protection  required  of  a  magazine  for  the  safe  storage  of 
ordnance. 

The  Vertical  Launching  System,  as  is  quickly  seen  from  this  simple 
overview  is  a  hybrid  of  many  different  species  combined  in  such  a  way  that  the 
whole  is  much  much  greater  that  the  sum  of  the  parts.  Now  lets  look  at  the 
launcher  component  parts  in  more  detail. 

As  indicated  earlier,  an  eight-cell  module,  called  the  standard  module,  is 
the  basic  building  block  replicated  to  form  a  launcher  assembly.  Each  module 
contains  all  the  equipment  necessary  to  function  as  its  own  independent 
launcher  with  the  exception  of  external  power  distribution  electronics, 
lighting  and  communications  assemblies  which  are  contained  on  only  one 
module — designated  the  the  systems  module — of  any  module  grouping.  Each 
module  consists  of  a  lattice  work  structure  connecting  a  deck  and  hatch 
assembly  with  a  plenum  base  and  uptake  assembly.  The  plenum  and  uptake 
provide  the  missile  exhaust  gas  a  path  to  the  atmosphere  which  allows  ignition 
of  each  missile  within  the  ship’s  hull  (Figure  (3)).  This  gas  management 
system,  because  it  redirects  the  missile  blast  and  exhaust  below  deck  to  the 
outside,  is  lined  with  a  heat  resistant  ablative  material  to  withstand  over 
multiple  missile  firings,  the  significant  pressures  and  high  temperatures 
generated  in  a  rocket  plume.  The  plenum  and  uptake  are  capable  of  containing 
and  surviving  a  full  burn  restrained  firing  without  loss  of  gas  management 
integrity. 

A  third  module  type,  called  the  strikedown  module  is  identical  to  a 
standard  module  except  that  three  firing  cells  are  replaced  by  an  articulating 
crane  assembly  mounted  on  an  elevator.  This  module  provides  canister  and 
equipment  handling  capability  for  rearming  and  maintenance  operations. 

The  only  moving  mechanical  components  of  the  launcher  during  firing  are 
the  individual  cell  hatches  which  cover  and  protect  each  cell  and  the  uptake 
hatches.  They  are  designed  to  provide  topside  ballistic  protection  with 
watertight  integrity  yet  open  quickly  by  means  of  individual  drive  motors. 
Each  module  contains  an  integral  water  deluge  system  which  connects  to  each 
canister  to  provide  a  water  cool  down  in  the  event  of  high  canister 
temperatures  or  a  missile  restrained  firing.  This  deluge  system  is  inhibited 
in  a  canister  during  its  own  missile's  firing. 

Two  electronic  assemblies  called  the  launch  sequencer  (LSEO)  and  the  motor 
control  panel  (MCP)  are  mounted  on  each  module  lattice  structure.  The  MCP 
provides  power  distribution  to  each  of  the  module’s  eight  cells  and  controls 
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the  activation  of  the  module  hatches  on  commands  from  the  LSEQ.  The  MCP  also 
activates  the  module  plenum  drain  system  in  the  event  water  enters  the  module 
plenum. 

The  LSEQ  combines  and  integrates  digital  electronics  with  electro¬ 
mechanical  relays  to  provide  the  second  level  command  and  control 
communication  functions  for  all  module  and  missile  interactions.  As  such,  it 
forms  one  part  of  the  launch  control  system  (LCS).  The  LSEQ  also  provides  the 
electronics  to  control  and  conduct  module  level  self-testing  using  built-in 
test  equipment  (BITE).  Unless  the  launcher  is  actually  firing  missiles,  BITE 
is  periodically  run  to  provide  a  constant  health  check  and  module  status 
report.  A  continuously  powered  section  of  the  LSEQ  monitors  several  hazard 
circuits  on  the  module  and  within  each  canister  and  provides  the  status  of 
these  conditions  to  several  locations  outside  the  launcher  spaces. 
Internally,  each  LSEQ  is  split  into  two  sections  with  each  section  controlling 
four  of  the  eight  module  cells.  This  feature  enhances  the  modularity  of  the 
design  and  restricts  the  effects  of  casualties  to  a  half-module. 

Redundant  power  supplies  are  mounted  beneath  each  module’s  power  access 
walkway,  providing  module  and  missile  power.  They  are  controlled  by  the  LSEQ 
and  provide  external  operating  power  to  missiles  until  just  prior  to  launch. 
They  are  also  the  energy  source  which  inflates  commanded  major  ordnance 
functions  such  as  booster  Ignition  and  missile  restraint  release. 

A  damage  control  junction  box  and  local  status  panel  are  assembled  with 
each  group  of  modules  to  provide  a  complete  interface  to  the  ship's  damage 
control  center  and  combat  information  center  (CIC).  Up-to-date  hazards  (e.g., 
high  temperature  conditions)  and  system  status  information  on  each  missile  and 
module  is  indicated  on  the  status  panel  and  passed  to  the  ship’s  damage 
control  center  or  CIC.  The  local  status  panel  also  controls  launcher  power, 
enables  the  strikedown  and  anti-icing  systems  and  provides  a  manually  operated 
hard-wired  interrupt  to  prevent  missile  launches  while  the  launcher  is 
occupied. 

The  VLS  canister  is  a  corrigated  metal  container  with  internal  adaptive 
hardware  for  missile  restraint,  shock  mitigation  and  safe  and  arming  systems 
peculiar  to  each  missile  type.  The  canister  functions  as  the  packaging, 
handling,  shipping  and  transportation  container  for  its  missile  as  well  as  its 
launch  rail  and  gas  management  cell.  It  contains  an  integral  deluge  piping 
and  manifold  spray  assembly  which  delivers  40  gallons  of  water  per  minute  when 
activated  by  a  high  temperature  condition  within  the  canister  or  during  a 
restrained  firing.  The  canister  is  loaded  at  a  weapons  station  and  sealed 
with  a  forward  fly-through  cover  and  aft  blow  out  closure  to  provide  complete 
environmental  protection.  An  electrical  cable  assembly  within  the  canister 
mates  the  missile  with  its  LSEQ  umbilical.  Each  canister  contains  either  a 
canister  safe  and  enable  switch  (CSES)  or  a  critical  function  interrupt  switch 
(CFIS)  which  mechanically  interrupts  all  ordnance  lines  to  the  missile.  It  is 
accessible  from  the  module  walkways  and  must  be  manually  activated  prior  to 
missile  launch.  The  LSEQ  monitors  each  switch  position  and  reports  its  "safe" 
or  "enabled"  position  status.  Each  canister  contains  a  coded  plug  which 
identifies  the  missile  it  contains.  This  plug  is  configured  by  the  weapons 
station  at  the  time  the  missile  is  encanistered  and  is  inserted  in  a  canister 
cable  harness  connector  prior  to  closure. 
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VLS  uses  three  canister  configurations  today  (Figure  4):  the  MK-13  for 
Standard  Missile,  the  MK-14  for  TOMAHAWK,  and  the  MK-15  for  Vertical  Launched 
ASROC.  Since  the  launcher  is  sized  for  the  largest  missile  type,  the  264" 
TOMAHAWK,  36”  adapters  are  used  with  the  MK-13  and  MK-15  canisters  to  mate 
them  to  the  module  plenum. 

The  last  major  component  of  the  VLS  is  the  computer  programs  and  equipment 
which  are  the  heart  of  the  system.  The  launch  control  unit  (LCU)  and  launch 
control  computer  programs  (LCCP)  complete  the  launch  control  system.  This 
digital  system  provides  the  redundant  interfaces  back  into  the  combat  system 
and  out  to  each  launcher  to  connect  each  weapons  control  system  to  its 
missiles  through  the  appropriate  launch  sequencers.  This  subsystem  serves  as 
the  first  level  of  command,  control  and  communication  for  VLS  and  is  located 
outside  the  launcher  spaces  in  the  ship's  computer  spaces.  The  LCU  and  its 
associated  teletype,  video  and  mag-tape  input/output  peripherals  are 
completely  redundant  with  each  half  able  to  control  all  missiles  in  up  to 
sixteen  modules.  'Normal  operation  calls  for  each  LCU  to  share  the  total 
inventory  with  a  single  LCU  assigned  primary  responsibility  for  managing  half 
the  missiles  on  a  per  launcher  basis. 

Having  discussed  the  significant  components  that  make  up  a  VLS,  it  is  time 
to  briefly  describe  their  collective  operation  before  describing  how  they 
safely  perform  their  demanding  mission. 

SYSTEM  OPERATION 

When  the  Vertical  Launching  System  is  powered  up,  prior  to  entering  one  of 
its  three  operational  modes,  it  performs  a  self-initialization.  To  do  this, 
it  conducts  a  system  level  BITE  by  commanding  individual  module  built-in 
tests,  collecting  the  results  and  then  reporting  its  operational  readiness 
status  to  its  own  teletype  and  magnetic  tape  drive  and  any  weapons  control 
system  that  is  on-line.  Concurrent  with  the  BITE,  it  is  also  establishing  its 
present  inventory  by  querying  each  launch  sequencer  which  in  the  course  of 
their  own  power  up  sequence  has  established  a  module  level  inventory  of  each 
of  its  own  eight  cells.  This  inventory  is  established  by  the  LSEQ  reading 
hardwired  canister  coding  plugs  assembled  with  every  missile  and  containing  a 
unique  sixteen  bit  ID  for  each  missile  type.  The  system  inventory  is 
subsequently  reported  at  the  LCU  peripherals  and  passed  immediately  to  on-line 
WCSs. 

Upon  completion  of  this  initialization,  the  launcher  assumes  a  STANDBY 
mode  awaiting  commands  from  any  WCS.  Standby  is  the  normal  mode  the  launcher 
will  operate  in  more  than  90%  of  the  time.  While  in  this  mode,  periodic  BITE 
tests  will  be  automatically  commanded  to  maintain  a  fresh  launcher 
availability  status.  Also  in  this  mode,  the  LCUs  will  continuously  check  each 
digital  interface  with  each  on-line  WCS  as  well  as  to  each  of  its  own  LSEQs. 
When  commanded,  the  launcher  will  transition  in  milliseconds  to  one  of  two 
other  modes. 

In  the  SIMULATION  mode,  VLS,  while  maintaining  inactive  launch  circuits  to 
the  LSEQs ,  provides  normal  but  simulated  launch  responses  to  a  WCS  to  allow 
weapon  systems  testing  or  combat  systems  testing  or  combat  systems  training. 
The  crew  can  call  for  simulated  inventories  or  system  faults  while  the  actual 
inventory  is  maintained  safe.  Actual  launcher  status  conditions  are  gathered 
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and  kept  ready  for  Immediate  reporting  when  the  launcher  Is  returned  to 
standby. 

The  third  mode  of  VLS,  called  READY  ALERT,  Is  that  commanded  to  select 
missiles  for  actual  launch.  All  launch  related  orders  are  executed  and  all 
other  mode  commands  Ignored  until  ready  alert  Is  removed  by  the  original 
WCS(s)  which  commanded  it.  Each  WCS  must  order  VLS  to  ready  alert  (even  if 
VLS  is  already  conducting  launches  with  another  WCS)  in  order  to  shoot  its  own 
particular  missiles.  While  in  ready  alert  mode,  the  launch  enable  function 
must  be  enabled  either  in  the  CIC  or  at  the  local  status  panel  in  order  for 
launch  operations  to  proceed.  Likewise,  all  canister  switches  intended  for 
launch  must  be  in  the  enable  position.  The  status  of  each  switch  position  is 
part  of  the  data  reported  on  a  continuing  basis,  first  during  initial 
Inventory  and  then  through  constant  monitoring.  Missiles  may  be  selected  by 
the  VLS.  Selection  by  VLS  is  based  on  system  criteria  for  such  things  as 
uniform  inventory  depletion  across  modules,  weight  and  moment,  module  ablative 
wear  and  missile  deconf liction. 

Each  module  is  designed  for  simultaneous  preparation  of  two  missiles,  one 
on  each  half  module  (4-Cell),  allowing  an  AEGIS  cruiser  for  example, 
simultaneous  preparation  of  32  AAW,  ASW,  or  Strike  and  ASUW  missiles  in  any 
combination.  At  the  final  stages  of  missile  preparation,  VLS  begins  opening 
hatches  and  performing  other  launcher  functions  necessary  for  launch.  When 
these  operations  are  completed  and  verified  by  both  digital  and  mechanical 
checks,  booster  ignition  commands  are  passed  to  ready  missiles  and  they  fly 
themselves  out  of  the  launcher.  Cell  hatches  are  closed  when  sensors  indicate 
that  the  missile  Is  clear  of  the  launcher.  If  any  malfunction  occurs  during 
this  entire  process,  automatic  saflng  routines  are  executed  and  replacement 
missiles  are  selected.  Since  AAW  targets  have  the  highest  priority,  VLS 
allows  interruption  of  a  TOMAHAWK  initialization  for  selection  and  firing  of 
an  SM-2  from  the  same  half  module.  VLS  will  then  resume  the  TOMAHAWK 
initialization  without  loss  of  data.  This  identical  capability  is  true  in  the 
event  the  second  highest  priority  warfare  area  requires  it.  At  the  end  of  an 
engagement,  the  WCS(s)  order  VLS  back  to  standby  mode  and  receive  an  updated 
inventory  and  availability  status.  A  typical  AAW  launch  sequence  is  shown  in 
Figure  5, 

SYSTEM  SAFETY  CONCEPTS  AND  TENANTS 

VLS  was  designed  as  an  unmanned  missile  launcher  under  the  operational 
control  of  the  weapons  systems  of  the  missiles  it  launches  as  part  of  either 
an  integrated  or  federated  combat  system  architecture.  To  meet  its 
requirements  and  faithfully  yet  safely  serve  many  potential  masters,  a  great 
deal  of  system  safety  engineering  had  to  be  accomplished  within  the  launcher 
as  a  function  of  its  design  as  well  as  the  designs  of  those  systems  it  serves. 

At  the  very  beginning  of  its  demonstration  and  validation  phase,  VLS 
established  clear  safety  concepts  and  design  tenants  to  be  followed  rigorously 
during  the  course  of  its  development  and  deployment.  These  concerns  and 
tenants  became  the  rules  that  guided  detailed  design  and  the  course  of  the 
many  decision  trade-offs  which  in  turn  directly  determined  its  operation  and 
maintenance  procedures. 
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COMPLETE  AND  ABSOLUTE  ISOLATION  OF  ALL  ELECTRICAL  SIGNALS  FROM  A  MISSILE 
UNTIL  IT  IS  INTENDED  TO  BE  LAUNCHED  ATTACKS  PREMATURE  OR  INADVERTANT 
INITIATION  OF  ANY  ORDNANCE  AT  ITS  MOST  FUNDAMENTAL  LEVEL  AND  ESTABLISHES  A 
SAFETY  PRECEPT  CONSISTENT  WITH  THE  STOWAGE  OF  A  MISSILE  READY  FOR  FIRING  ON 
ITS  LAUNCH  RAIL!  If  you  haven't  quessed  already,  first  and  foremost  in  these 
simple  yet  formidable  convenants  is  the  rule  that  power  is  never  applied  to 
the  encanlstered  missile  until  the  missile  is  Intended  to  be  launched. 

Using  the  first  tenant  as  a  cornerstone,  the  requirement  for  multiple 
INDEPENDENT  INTERLOCKS  to  safeguard  EVERY  ordnance  function  was  added.  These 
Interlocks  had  to  be  designed  to  form  a  hierarchy  of  safety  layers  throughout 
the  system,  capable  of  progressive  removal  as  conditions  of  readiness 
increased. 

In  tandem  with  this  second  tenant,  a  MINIMUM  LEVEL  OF  THREE  interlocks  was 
set  as  a  threshold  and  each  set  of  interlocks  had  to  include  both  independent 
manual  and  automatic  operations.  This  design  principle  allowed  for  putting 
the  man  back  "in  the  loop"  at  critical  points  in  the*  launcher's  transition  to 
Increased  ship's  readiness  conditions,  yet  still  allowed  for  full  automatic 
operation  in  the  ready  alert  mode,  i.e.,  "go  to  w at." 

Lastly,  in  concert  with  the  modular  and  redundant  design  initiatives  keyed 
to  performance,  the  system  design  for  safety  had  to  RESTRICT  ANY  FAULT  IMPACTS 
to  the  module  or  individual  cell  level  to  minimize  their  effects  on  the  total 
system. 

These  four  VLS  unique  safety  precepts  were  then  melded  with  all  the  other 
applicable  existing  safety  requirements  covered  in  the  many  publications  and 
specifications  governing  ordnance,  end  ordnance  systems  both  ashore  and  afloat 
to  form  the  total  system  safety  design.  The  direct  and  detailed  management  of 
this  effort  was  assigned  to  members  of  the  System  Safety  Engineering  Group  at 
Naval  Surface  Weapons  Center,  Drhlgren. 

The  results  of  this  foc.sed  on  priority  effort  to  build  safety  into  the 
VLS  from  conception  yielded  impressive  results  and  innovative  design  features 
which  allow  the  launcher  to  meet  all  of  its  operational  requirements  with  a 
high  degree  of  safety. 

MAJOR  SYSTEM  SAFETY  FEATURES 

At  the  weapons  systems  level,  the  LAUNCH  ENABLE  function  provides  the 
first  layer  of  sa'ety  by  electrically  isolating  all  missiles  until  authorized 
by  the  Commanding  Officer  or  TAO.  As  shown  in  Figure  6,  this  function  through 
serial  electro-mechanical  relays  in  each  LSEQ  physically  interrupts  the 
critical  missile  functions  listed  within  the  schematic  for  each  missile  type. 
Launch  Enable  is  controlled  by  key  activated  electrical  switches  located  in 
CIC  (primary)  or  at  each  local  status  panel  (backup).  The  Launch  Enable 
function  is  provided  at  the  local  status  panel  primarily  to  Isolate  the 
launcher  during  maintenance  operations  and  as  the  backup  to  the  remote  launch 
enable  panel  In  CIC  in  the  event  of  battle  damage.  When  the  key  switch  is 
turned,  an  electrical  signal  closes  the  Launch  Enable  relays.  Closing  these 
relays  enables  the  electrical  path  to  additional  relays  downstream.  These 
relays  are  subsequently  closed  by  additional  discrete  signals  at  the  proper 
pejnt  in  the  launch  sequence.  Removal  of  Launch  Enable  at  any  point  in  a 
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launch  sequence  prevents  launch  throughout  the  system.  By  monitoring  the 
presence  or  absence  of  this  signal,  VLS  reports  Its  status  to  each  WCS.  Each 
WCS  Is  then  able  to  proceed  with  or  Inhibit  further  missile  Initialization 
through  Internal  Interlocks  in  its  own  computer  program.  In  the  event  Launch 
Enable  Is  used  to  stop  a  launch  in  progress,  both  VLS  and  WCS  can 
automatically  Initiate  missile  safing  and  shutdown  routines  if  required. 

Weapon  systems  level  safety  is  also  provided  within  the  computer  programs 
of  both  the  WCSs  and  VLS  LCUs.  In  the  event  of  the  loss  of  communications 
between  WCS  and  VLS  and  failure  of  the  redundant  communications  path,  VLS  will 
automatically  safe  and  power  down  all  missiles  communicating  with  that  WCS. 
Additionally,  VLS  or  any  WCS  can  independently  initiate  such  safing  sequences 
upon  the  detection  of  any  abnormal  launch  conditions,  whether  they  are  present 
within  the  missile,  the  launcher  or  the  WCS.  Figure  7  illustrates  the  degree 
to  which  each  computer  program  (including  the  missiles')  performs  constant 
message  validation  for  all  messages  going  across  its  interface(s) .  Beyond  the 
normal  checksum  processing  used  in  all  good  digital  communication  protocols, 
proper  addressing  and  sequencing  for  each  missile  in  each  cell  location  is 
monitored  and  enforced  on  a  message  by  message  basis.  Any  discrepancy  in  any 
message  is  cause  for  rejection  and  up  to  three  retries  are  allowed.  After  a 
third  retry  failure,  the  system  declares  a  loss  of  communications  and  proceeds 
to  use  back  up  channels.  If  these  channels  aren't  working  properly,  any  or 
all  of  the  elements  of  the  weapons  system  will  again  automatically  safe  the 
missile  and  either  select  another  missile  or  secure  from  launch. 

Positive  and  safe  control  is  maintained  within  the  VLS  through  additional 
launcher-unique  design  features.  Figure  8  illustrates  the  potentially 
hazardous  conditions  which  are  monitored  within  each  cell  and  within  the 
launcher  along  with  a  flow  chart  of  where  each  of  these  conditions  are 
reported.  The  functions  shown  under  the  box  labeled  "Damage  Control”  are 
powered  continuously,  even  if  the  launcher  is  powered  down.  Since  these 
functions  are  critical  to  the  ship,  they  have  a  back  up  power  source  which 
automatically  maintains  active  hazardous  monitoring  in  the  event  primary  power 
from  the  ship  is  lost. 

The  LCCP  prioritizes  and  classifies  each  condition  according  to  its  total 
system  impact  under  all  operating  conditions  of  the  launcher  and  exercises 
appropriate  alarms,  interlocks  and  inhibits.  In  the  event  that  an  anomolous 
condition  occurs  during  a  missile  firing,  according  to  its  particular 
classification,  VLS  may  continue  to  launch  or  stop  it.  If  it  interrupts  a 
launch,  it  will  either  initiate  automatic  safing  routines,  or  with  certain 
faults,  request  that  an  operator  through  manual  action  activate  an  override. 
Given  an  override  command,  it  will  allow  the  firing  as  planned.  The  LCCP  also 
contains  provisions  to  safely  conduct  exercise  firings  to  ensure  that  only  the 
exercise  bird  is  launched.  This  allows  a  ship  to  receive  and  conduct  its 
exercise  under  close  to  tactical  conditions  without  unloading  its  tactical 
missiles.  When  placed  in  the  "exercise  state,"  an  operator  at  the  launch 
control  unit  must  authorize  the  specific  cell  or  cells  to  be  fired  and  this 
authorization  must  agree  exactly  with  the  configuration  of  canister  switch 
positions  of  all  missiles.  If  it  doesn't,  all  launch  related  orders  are 
rejected  and  the  system  will  not  proceed  into  its  ready  alert  (i.e.,  missile 
firing)  mode. 

Each  LSEQ  enforces  still  further  designed  safety  features  for  its  module 
and  individual  cells.  Beyond  the  continuous  hazards  monitoring  already 
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mentioned,  the  LSEQ  regularly  exercises  BITE  to  detect  and  report  any  anomolls 
conditions  occurring  within  its  module,  conducts  continuous  warhead 
identification  validation  as  part  of  its  inventory  monitoring  routine,  and 
monitors  and  reports  the  position  of  all  canister  switches.  The  LSEQ  also 
performs  independent  message  validity  checks,  monitors  the  position  of  all 
hatches  and  canister  dogs  for  proper  positioning,  provides  automatic  operation 
of  the  deluge  cool  down  system  and  plenum  drain  system,  and  detects  any 
changes  in  missile  identification  or  inventory.  As  part  of  the  hierachy  of 
system  interlocks,  the  LSEQ  enforces  those  shown  in  Figure  (9)  prior  to 
reporting  to  the  LCU(s)  and  WCS(s)  that  both  missile  and  module  are  ready.  No 
ordnance  events  occur  prior  to  this  message  and  without  a  satisfactory  report, 
launch  operations  are  suspended  and  that  particular  missile  is  safed. 

Recognizing  that  no  design  is  perfect  and  remembering  those  little  digits, 
VLS  provides  for  safely  handling  the  classical  ordnance  incidents  which  can 
occur  —  namely,  a  dud,  a  misfire,  a  hangfire  or  a  restrained  firing.  Figure 
(10)  itemizes  the  abnormal  launch  conditions  that  can  arise  and  lists  the 
combat  system  response  designed  into  the  system  to  safely  handle  these 
circumstances.  In  the  event  that  a  dud  or  misfire  (hangfires  aren't 
applicable  to  VLS  —  they  become  either  misfires  of  restrained  firings)  do 
occur,  the  safest  place  for  the  suspect  missile  to  be  is  within  the  launcher. 
Although  there  is  an  ability  to  jettison  a  canistered  missile  using  the 
strikedown  system,  this  would  create  a  much  more  hazardous  condition  than 
keeping  it  safely  stowed  (and  under  constant  monitoring)  until  it  can  be 
returned  to  port  and  removed  under  strictly  controlled  conditions. 

To  provide  these  concepts  and  demonstrate  these  features,  VLS  embarked  on 
a  major  effort  of  analysis,  test  and  independent  review.  Over  20  different 
contractor  and  government  activities  conducted  more  that  100  different  major 
safety  analyses  on  every  piece  of  equipment  or  computer  program  in  the  weapons 
systems.  More  than  20  separate  and  independent  safety  panels  or  boards 
reviewed  the  total  design  for  safety  in  the  course  of  its  development.  Naval 
Sea  Systems  Command  also  convened  a  Blue  Ribbon  Safety  Panel  of  senior 
ordnance  and  combat  system  experienced  Navy  Captains  Chaired  by  a  Flag  Officer 
to  specifically  review  VLS's  readiness  for  deployment.  t  received 
unqualified  approval. 

Not  relying  on  ju6t  analysis,  VLS  established  a  comprehensive  test  program 
to  demonstrate  the  design.  A  structured  sequence  of  tests  were  prescribed 
from  the  component  level  up  to  full  scale  flight  demonstrations  for  each 
missile  type  and  then  for  each  combination  of  missile  types.  Permanent  full 
system  level  test  sites  were  established  for  each  missile  type  and  thousands 
of  both  "go"  and  "no  go”  tests  were  run  using  sophisticated  simulators  and 
inert  but  operationally  capable  missiles.  Over  50  flight  tests  were  flown 
from  land-based  test  sites  or  from  a  test  and  evaluation  ship  at  sea. 
Thousands  of  manhours  at  more  than  seven  different  facilities  were  dedicated 
to  just  system  fault  processing  in  order  to  wring  out  any  "bugs”  in  the 
computer  programs  and  LSEQ  firmware.  This  testing  continues  today  as  VLS 
prepares  for  its  Milestone  IIIB  decision. 

In  the  final  section  to  follow,  I  will  identify  some  of  the  new 
operational  and  life  cycle  maintenance  considerations  of  this  system.  After 
all,  VLS  is  still  only  an  adolescent. 
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KEEPING  IT  SAFE 


All  these  safety  features  are  built  Into  the  VLS  design  and  now  with  the 
system  actually  deploying  In  active  Fleet  units,  the  challenge  will  be  to 
preserve  them.  The  disciplines  set  In  motion  during  the  development  phase 
must  Le  maintained  over  the  operational  life  of  the  system. 

Some  of  the  less  obvious  safety  Implications  of  the  VLS  still  face  us  and 
require  great  adjustment  on  the  part  of  the  Captains  and  Crews  who  will  fight 
with  VLS.  There  Is  no  "blue  missile"  In  the  VLS  launcher.  No  "blue  missile” 
means  no  dally  system  operability  testing  (DSOT).  If  you've  ever  been 
anywhere  near  a  ship  recently,  you  know  that  the  results  of  DSOTs  are  one  of 
the  major  items  on  a  Dally  Report.  Image  the  consternation  of  a  Weapons 
Officer  with  VLS  in  not  KNOWING  that  his  launcher  is  "up"  because  he  cannot 
put  a  test  round  in  his  system  and  verify  that  it's  working  end  to  end.  This 
is  not  a  small  point  when  you  consider  that  years  of  experience  and  daily 
routines  with  complex  systems  indicate  that  It  Is  what's  required  to  really 
know  you're  ready.  The  fundamental  rule  of  no  power  in  the  launcher  precludes 
this  practice.  With  "wooden  rounds"  and  the  design  of  VLS  to  automatically 
select  missiles,  there  can  be  no  such  thing  as  cycling  the  launcher  to  be  sure 
it  works.  Beyond  challenging  the  VLS  to  demonstrate  its  high  availability  and 
reliability,  it  challenges . that  Weapons  Officer  to  believe  in  its  extensive 
built-in  tests  ...  not  an  easy  request  to  make. 

"Wooden  rounds"  fully  encanistered  in  their  launch  cell  change  other 
standard  operating  procedures  as  well.  Perhaps  with  harpoon  having  led  the 
way,  the  rigorous  accountability  and  responsibility  associated  with  receipt 
Inspection,  custody  transfer  and  inventory  management  of  ordnance  that  can't 
be  physically  seen  and  positively  identified  by  serial  number  won’t  be  so 
traumatic.  Ordnance  safety  has  long  relied  on  the  "seeing  is  believing" 
principle  not  trusting  in  just  paperwork. 

Then,  what  of  the  old  phrase  ...  "I  shot  an  arrow  in  the  air...".  As 
trite  as  this  may  sound,  it  will  take  several  years  and  lots  of  missile 
firings  to  overcome  at  least  a  gut-level  apprehension  on  the  part  of  the 
operators  that  not  "pointing"  a  missile  as  on  a  rail  launcher  is  really  a 
safe  thing  to  do.  That  same  type  of  apprehension  will  linger  for  a  long  while 
over  igniting  missiles  two  decks  below  the  main  deck  and  believing  that  they 
will  fly  safely  away.  These  are  all  small  things  certainly,  but  they  are 
legitimate  concerns  when  dealing  with  a  new  order  of  things  and  should  not  be 
lightly  dismissed.  Lots  of  little  worries  will  raise  their  ugly  heads  when 
these  ships  with  VLS  are  far  away  from  Washington  and  the  engineers  who  built 
it. 


These  are  just  a  few  of  the  new  constraints  and  uncertainties  that 
accompany  VLS  into  the  Fleet.  To  preserve  the  safety  of  the  system,  VLS  has 
three  CARDINAL  RULES  OF  SAFETY  that  must  be  observed  during  operation  (Figure 
(11)).  If  these  rules  are  always  followed,  no  matter  what  the  circumstances, 
VLS  will  remain  a  safe  and  reliable  system. 
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The  first  rule  requires  no  explanation:  NEVER  APPLY  POWER  TO  A  MISSILE 

UNTIL  IT  IS  INTENDED  TO  BE  LAUNCHED. 

Secondly,  NEVER  MIX  SIMULATORS  WITH  LIVE  ORDNANCE. 

And  lastly,  VLS  MUST  BE  MAINTAINED  AND  OPERATED  ONLY  BY  TRAINED  PERSONNEL 

USING  AUTHORIZED  PROCEDURES. 

The  second  and  third  rules  deserve  some  discussion. 

During  the  course  of  the  launcher  development  several  very  simple  and 
sophisticated  missile  and  computer  program  simulators  were  developed  to  assist 
in  the  extensive  surety  testing  that  went  on.  When  connected  to  VLS,  they 
appear  in  every  way  to  be  a  real  missile.  VLS  cannot  distinguish  these 
simulators  from  a  real  missile,  and  if  they  are  ever  connected  to  VLS  when  ANY 
ordnance  is  in  the  launcher,  VLS  will  not  discriminate  between  the  simulator 
and  the  real  missile.  Considering  the  degree  of  automation  in  VLS,  this  can 
quickly  lead  to  EXTREMELY  UNSAFE  conditions.  This  is  a  rule  that  should  never 
be  broken. 

The  third  Cardinal  rule  of  Safety  is  a  little  easier  to  understand. 
Because  VLS  is  such  a  complex  and  revolutionary  approach  to  a  missile 
launcher,  a  very  intensive  and  specialized  course  of  instruction  is  required 
to  operate  it  safely.  Both  military  and  civilian  personnel  who  work  with  VLS 
undergo  this  extensive  training  and  complete  an  individual  qualification  and 
certification  program.  The  technical  manuals  for  VLS  contain  the  only 
approved  procedures  for  operating,  maintaining  and  troubleshooting  this 
system.  These  procedures  were  tested  and  proven  during  the  course  of 
developing  VLS  and  are  the  ONLY  safe  procedures  to  use.  There  will  never  be 
any  bulletins  or  technotes  published  for  VLS  to  avoid  any  question  of 
ambiguous  procedures.  This  regimentation  is  absolutely  essential  for  safe 
operation. 

There  are  a  great  many  challenges  still  to  come  for  this  new  system,  this 
paper  has  focused  on  the  need  to  meet  them  safely.  Safety  was  only  one  of  a 
number  of  major  program  objectives  for  VLS...  but  it  was  the  NUMBER  ONE 
objective,  and  in  the  words  of  Robert  Frost  "...that  has  made  all  the 
difference." 
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Figure  1.  VLS  Architecture 
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Figure  11.  Cardinal  Rules  of  VLS  Safety 


